DIB Contractor MSP Evaluation Checklist & Buyer's Guide
For defense contractors who need to know whether their MSP candidates can deliver on CMMC services.
Most DIB contractors discover that their MSP isn’t qualified for CMMC services until months into the relationship, when the roadmap still hasn’t arrived, and leadership is frequently asking for updates.
By then, your timeline has compressed. The assessment window is closing. And the person responsible for CMMC is trying to manage the compliance effort themselves while waiting on a vendor who can’t keep up.
This guide helps defense contractors evaluate MSPs during the interview process – long before that situation develops.
Built by practitioners who work in this environment.
This guide was developed by Gar Whaley (CMMC Registered Practitioner, CISSP, CISM, CGEIT, CISA) and Reid Johnston, cofounders of Teal CMMC, drawing on more than 50 combined years of experience supporting regulated organizations. The questions and frameworks here come from years of watching MSP relationships succeed and fail in regulated environments – so you know exactly what to look for before you commit.
What’s inside:
- Early assessment checklist to weed out poor fits before investing time in formal evaluations
- MSP vetting checklist that covers questions across nine domains, including their background, as well as incident response and reporting
- Shared Responsibility Matrix overview
- Example Shared Responsibility Matrix
Who this guide is for:
- Defense contractors handling CUI, FCI, or ITAR-regulated data.
- Organizations working toward or maintaining CMMC Level 2 certification.
- Compliance leads and leadership teams evaluating a current or prospective MSP for CMMC services.